Assign an existing User-Assigned Managed Identity to VM from another subscription using Azure Policy
Azure provides a comprehensive list of built-in policy definitions (grouped by the category property defined in the metadata) which are owned and maintained by Microsoft (where the azure-policy repository contains the direct representation of these).
Built-in policy definitions usually cover a specific scenario although some flexibility might be provided through parameters that can be configured. However, customers might have specific needs not covered by an available built-in policy definition and a custom policy definition might be needed.
As a rule of thumb, if there is a built-in policy definition that covers part of a scenario, a custom policy definition can be created based on it introducing the necessary modifications.
Let’s take into consideration the [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines built-in policy definition that creates and assigns a built-in user-assigned managed identity or assigns a pre-created user-assigned managed identity at scale to virtual machines. This currently provides the user-assigned managed identity name and resource group name as parameters expecting that it is on the same subscription as the virtual machine resource. However, in a scenario where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource, a custom policy definition is required.
Before creating a custom policy, it is worth checking both the Azure Policy Samples as well as the Community Policy Repository to see whether a policy definition that matches your needs already exists. Coming back to the user-assigned managed identity assignment to virtual machines where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource scenario, a custom policy definition is available here where the user assigned managed identity resource URI (which contains the subscription ID) is provided as a parameter.
Published on:
Learn moreRelated posts
Azure Developer CLI (azd) – April 2026
The Azure Developer CLI (azd) shipped five releases in April 2026. The biggest theme this month is multi-language hook support: write azd hook...
Dynamics 365 Supply Chain Management – Run Planning Optimization on Azure operated by 21Vianet
We are announcing the ability for companies in China running Dynamics 365 Supply Chain Management on Azure operated by 21Vianet to run Plannin...
Announcing the Private Preview of Cosmos DB Azure RBAC Integration
Introduction Managing access to Azure resources often means dealing with two separate permission models: one for management operations and ano...
Azure DocumentDB (with MongoDB compatibility) for Banking: A Modern Customer 360 Approach
Introduction: Transforming Customer Intelligence in Banking Every day, people interact with their bank across mobile apps, branches, call cent...
Exam AI-901: Microsoft Azure AI Fundamentals
With a massive amount of focus on AI across the Microsoft platform, I decided to sit the new AI-901 exam, which is the new Azure fundamentals ...
The problem: All-or-nothing batch processing in Azure Service Bus
Azure Functions lets you settle each Service Bus message on its own within a batch. Complete, abandon, dead-letter, or defer messages one by o...
Welcome to Azure Cosmos DB Conf 2026
Today is the day. Azure Cosmos DB Conf 2026, in partnership with AMD, is a free virtual developer event focused on building modern, scalable a...
Azure Data Studio is retired: Move your Azure SQL workflow to VS Code in 10 minutes
Azure Data Studio retired on February 28, 2026. The recommended path forward is Visual Studio Code with the MSSQL extension. If you used ADS d...